ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4723698452660224.

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6178657681539072.

I can't reproduce this locally. Will give another try on CF, but I'm skeptical about that You mention 1.ogg file, but I don't see it referenced in any of the HTML files you provided.

Also, Chrome blocks pop up windows by default, i.e. it doesn't open poc.html tabs for me until I allow it to do so.

Could you please double check whether the reproducer you've provided works? Also, would it be possible to remove user interaction (allow pop-ups) and make it more stable overall?

Deleted: 845136.zip 782 KB

845136.zip 782 KB Download

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5518790314688512.

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4915785496264704.

Sorry for my mistake.Step 1 that mention 1.ogg file is a writing error，there is no need for 1.ogg and we should delete that step.

About the user interaction, used to make more windows, is not the import part of the crash.If the detail of crash is understood,maybe it can be removed.

How about try this args for chrome ?
"--no-sandbox --no-zygote  --incognito --expose-wasm --disable-translate --no-process-singleton-dialog --no-default-browser-check --no-first-run --new-window  --allow-file-access-from-files http://127.0.0.1:8605/launcher.html"

It's the args when crash first happen.(But in my OS,only "--no-sandbox" also works.)

Sorry for my mistake again and other repreoducer is OK.

Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Max, are you able to repro using the flags in comment #6?

Nope. Just tried again using https://storage.cloud.google.com/chromium-browser-asan/linux-release/asan-linux-release-563379.zip and no luck

The best I've got was OOM, which is quite funny, given the amount of RAM I have.

Thanks Max. 

lethalantidote: Would you be able to take a look at this one? It looks Blink>Paint related but please reassign if that's not correct. Thanks.

This is the destructor code so presumably the context_provider has been freed when this destructor is called.

VideoFrameSubmitter::~VideoFrameSubmitter() {
  if (context_provider_)
    context_provider_->RemoveObserver(this);
}

Looks like this changed in https://chromium.googlesource.com/chromium/src/+/df92bfed734a92c8f839af121218917ae599157d

So the first crash log looks like it is referring to a bug that already has a fix landed. As for the second crash log, I am looking into it. 

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2fa8c2c72da47e87f4e9a9221b3ddab97ee66fd8

commit 2fa8c2c72da47e87f4e9a9221b3ddab97ee66fd8
Author: CJ DiMeglio <lethalantidote@chromium.org>
Date: Tue Jun 12 21:13:26 2018

Makes VideoFrameSubmitter's ptr to context_provider scoped_refptr.

This CL prevents VideoFrameSubmitter from accessing a bare ptr of
|context_provider_| after it has been deleted by changing ptr to be a
scoped_refptr.

Bug:  845136 
Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
Change-Id: Ia574a206519857ddb4169aaec281b64e3689e8ce
Reviewed-on: https://chromium-review.googlesource.com/1087514
Commit-Queue: CJ DiMeglio <lethalantidote@chromium.org>
Reviewed-by: Justin Novosad <junov@chromium.org>
Reviewed-by: Frank Liberato <liberato@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Sadrul Chowdhury <sadrul@chromium.org>
Cr-Commit-Position: refs/heads/master@{#566570}
[modify] https://crrev.com/2fa8c2c72da47e87f4e9a9221b3ddab97ee66fd8/content/renderer/media/gpu/gpu_video_accelerator_factories_impl.cc
[modify] https://crrev.com/2fa8c2c72da47e87f4e9a9221b3ddab97ee66fd8/content/renderer/media/gpu/gpu_video_accelerator_factories_impl.h
[modify] https://crrev.com/2fa8c2c72da47e87f4e9a9221b3ddab97ee66fd8/content/renderer/media/media_factory.cc
[modify] https://crrev.com/2fa8c2c72da47e87f4e9a9221b3ddab97ee66fd8/media/DEPS
[modify] https://crrev.com/2fa8c2c72da47e87f4e9a9221b3ddab97ee66fd8/media/video/BUILD.gn
[modify] https://crrev.com/2fa8c2c72da47e87f4e9a9221b3ddab97ee66fd8/media/video/gpu_video_accelerator_factories.h
[modify] https://crrev.com/2fa8c2c72da47e87f4e9a9221b3ddab97ee66fd8/media/video/mock_gpu_video_accelerator_factories.h
[modify] https://crrev.com/2fa8c2c72da47e87f4e9a9221b3ddab97ee66fd8/third_party/blink/public/platform/web_video_frame_submitter.h
[modify] https://crrev.com/2fa8c2c72da47e87f4e9a9221b3ddab97ee66fd8/third_party/blink/renderer/platform/graphics/DEPS
[modify] https://crrev.com/2fa8c2c72da47e87f4e9a9221b3ddab97ee66fd8/third_party/blink/renderer/platform/graphics/video_frame_submitter.cc
[modify] https://crrev.com/2fa8c2c72da47e87f4e9a9221b3ddab97ee66fd8/third_party/blink/renderer/platform/graphics/video_frame_submitter.h
[modify] https://crrev.com/2fa8c2c72da47e87f4e9a9221b3ddab97ee66fd8/third_party/blink/renderer/platform/graphics/video_frame_submitter_test.cc

This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Approving merge for M68. Branch:3440

Pls merge you change to M68 branch 3440 ASAP so we can pick it up for this week Beta release. Merge has to happen latest by 1:00 PM PT tomorrow, Tuesday (06/19), so we can pick it up for Wednesday Beta release.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1fb6003331dfd2794ae6c654b91fe3ad8109c5a5

commit 1fb6003331dfd2794ae6c654b91fe3ad8109c5a5
Author: CJ DiMeglio <lethalantidote@chromium.org>
Date: Mon Jun 18 22:08:58 2018

Makes VideoFrameSubmitter's ptr to context_provider scoped_refptr.

>>>>>>> 2fa8c2c72da4... Makes VideoFrameSubmitter's ptr to context_provider scoped_refptr.
This CL prevents VideoFrameSubmitter from accessing a bare ptr of
|context_provider_| after it has been deleted by changing ptr to be a
scoped_refptr.

(cherry picked from commit 2fa8c2c72da47e87f4e9a9221b3ddab97ee66fd8)

Bug:  845136 
Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
Change-Id: Ia574a206519857ddb4169aaec281b64e3689e8ce
Reviewed-on: https://chromium-review.googlesource.com/1087514
Commit-Queue: CJ DiMeglio <lethalantidote@chromium.org>
Reviewed-by: Justin Novosad <junov@chromium.org>
Reviewed-by: Frank Liberato <liberato@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Sadrul Chowdhury <sadrul@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#566570}
Reviewed-on: https://chromium-review.googlesource.com/1105313
Reviewed-by: CJ DiMeglio <lethalantidote@chromium.org>
Cr-Commit-Position: refs/branch-heads/3440@{#425}
Cr-Branched-From: 010ddcfda246975d194964ccf20038ebbdec6084-refs/heads/master@{#561733}
[modify] https://crrev.com/1fb6003331dfd2794ae6c654b91fe3ad8109c5a5/content/renderer/media/gpu/gpu_video_accelerator_factories_impl.cc
[modify] https://crrev.com/1fb6003331dfd2794ae6c654b91fe3ad8109c5a5/content/renderer/media/gpu/gpu_video_accelerator_factories_impl.h
[modify] https://crrev.com/1fb6003331dfd2794ae6c654b91fe3ad8109c5a5/content/renderer/media/media_factory.cc
[modify] https://crrev.com/1fb6003331dfd2794ae6c654b91fe3ad8109c5a5/media/DEPS
[modify] https://crrev.com/1fb6003331dfd2794ae6c654b91fe3ad8109c5a5/media/video/BUILD.gn
[modify] https://crrev.com/1fb6003331dfd2794ae6c654b91fe3ad8109c5a5/media/video/gpu_video_accelerator_factories.h
[modify] https://crrev.com/1fb6003331dfd2794ae6c654b91fe3ad8109c5a5/media/video/mock_gpu_video_accelerator_factories.h
[modify] https://crrev.com/1fb6003331dfd2794ae6c654b91fe3ad8109c5a5/third_party/blink/public/platform/web_video_frame_submitter.h
[modify] https://crrev.com/1fb6003331dfd2794ae6c654b91fe3ad8109c5a5/third_party/blink/renderer/platform/graphics/DEPS
[modify] https://crrev.com/1fb6003331dfd2794ae6c654b91fe3ad8109c5a5/third_party/blink/renderer/platform/graphics/video_frame_submitter.cc
[modify] https://crrev.com/1fb6003331dfd2794ae6c654b91fe3ad8109c5a5/third_party/blink/renderer/platform/graphics/video_frame_submitter.h
[modify] https://crrev.com/1fb6003331dfd2794ae6c654b91fe3ad8109c5a5/third_party/blink/renderer/platform/graphics/video_frame_submitter_test.cc

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Hi cdsrc2016@ - the VRP panel decided to reward $500 for this report. Thanks!

Thanks a lot for the reward !
BTW, will this one be assigned a CVE ? 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I'm afraid we only issue CVEs to bugs found in the stable channel :-(